lumma | hxxps://drive[.]google[.]com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Resubmissions

30-07-2024 10:46

240730-mvc8wsxbnr 6

30-07-2024 10:41

240730-mrjw9s1gkf 10

30-07-2024 10:36

240730-mnmtraxarm 6

Analysis

max time kernel
204s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

https://effectivedoxzj.shop/api

https://parntorpkxzlp.shop/api

https://stimultaionsppzv.shop/api

https://grassytaisol.shop/api

https://broccoltisop.shop/api

https://shellfyyousdjz.shop/api

https://bravedreacisopm.shop/api

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
2124	main.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
4	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
744	2124	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133668097479974901"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	taskmgr.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2856	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeRestorePrivilege	2208	7zG.exe
Token: 35	2208	7zG.exe
Token: SeSecurityPrivilege	2208	7zG.exe
Token: SeSecurityPrivilege	2208	7zG.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
2208	7zG.exe
1784	7zG.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe
1252	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2216	4832	chrome.exe	84
PID 4832 wrote to memory of 2216	4832	chrome.exe	84
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1700	4832	chrome.exe	85
PID 4832 wrote to memory of 1420	4832	chrome.exe	86
PID 4832 wrote to memory of 1420	4832	chrome.exe	86
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87
PID 4832 wrote to memory of 3272	4832	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff84ab6cc40,0x7ff84ab6cc4c,0x7ff84ab6cc58
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3756,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5044,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4876,i,7581117865157456602,4456755339424795193,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3312

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap32411:76:7zEvent14432
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2208

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Tutorial.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11856:76:7zEvent15182
1⤵
- Suspicious use of FindShellTrayWindow
PID:1784

C:\Users\Admin\Downloads\main.exe
"C:\Users\Admin\Downloads\main.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1156
  2⤵
  - Program crash
  PID:744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2124 -ip 2124
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e54a8a242f39f9062d18ad63659fb892

SHA1
a993b5c6c5d5e940c1d22917ba1a1bc2aa1e996d

SHA256
78d98ad64fc2a3df3b1a380e46616f530f74301163bbab4e03dec63bbd9b99e9

SHA512
2d1c28b7fa6843a83ecb577c7e7ec9654f88d712ee27022dbff0213ec6fc0629a3a96d2d73738f50019db632490f020cd22dd913ef7469ae2b93041a2c023a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
65bb287a2186f471931f9770cbb7be5d

SHA1
7446edea38e60ca1f57e16ab1cc5986f68916d7f

SHA256
77eec241edba8b0f6e76ab7b48b7d399525c2abba8a01c527acb69e31b0d7452

SHA512
6cd779128c8e5dbf1ff22e9e421823762b8d3b6be8583afc18241fabfd031e241a6d7db55792c0f0dac1507045e488df61b0644a868772bb215b5002e1f0b745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
fe94e093c65cd997798752ed213b01ab

SHA1
3a9a51ff13d8cec3247e60176cb813dcd5493966

SHA256
1fc98b1643c9bb05e7492379f3b6a1357ace7bd6669868926c7eb07ce2f3ecfb

SHA512
4e03cf3702c3f91a575274ca7a16680b64d6fee2010c500ee911c4acf74465e87837061fe835342743a52177c045e7b6df4c53ee1851c994c6cbc284af7e06b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
3237f18808d3c8ec56d4e5ffb46f361d

SHA1
43adb5e31941e66a3e8b677c52961c232e0fbd73

SHA256
be214df1336d0555fac568f8299c1acab3d5f5d908ef4a70f9be00a2a7c4771f

SHA512
1abff1a00996802a59d13dee5b53492cc9275112ba81a4092578e443c5c5382857a4e2158f6b364952a80f7043251a5e8eabf289d0adea598af6f2ba62590f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0f5c44408e71da657e41ac2f7b102d7e

SHA1
b3ae6ee8b4982360d97a9d2892bc4282bd97e5a5

SHA256
9cfc565fd42d069778376e617defbcfdd171215cf524125e83da166d66af0d14

SHA512
1d73e0aca583ade4bbff197862c1435d463340239a9cc655417240b34c0ea0c317fc448596efb1b71d47c4a2943f7ca870a79427008cef0136aa4f366b02c5dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d70c5c798212a069e0a418f8b814d7c

SHA1
211276caa176717276c94bff9634679097211fa2

SHA256
09f29b9ffe56a925a490e7e40003df34c220aacaadb4235100645b30581f0113

SHA512
b2f2a1ed687a004b81c4176edb84396025d78a423c6fa99c4509d85d3911d09107076d29c0f40ad6aceb86899c6bd8fc06affb4bc14be6fb94fe88846a4dc193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
262a6161dc99ea7fd1a9fc87ab76c9f4

SHA1
cbf89b7112a81f22cde309900d175e5ffd09735a

SHA256
ece27c9bbe32f08a63bcd4edf35a94e947056b6d03dc3ce38e8c3d0179a73410

SHA512
be1f843df0d05359f5d1ada08210cc9a91ab12b247f76244ae8d792756f28b8fb974d63e9ab0e6439e1559248872778399ee1e6957b322a5a9fb3d54085135c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b7da91aec75b3c97ec9ceda99fa0576

SHA1
7a902774d823258def9ecdcb207c557a8daff39c

SHA256
c4fc550fc0184e1edcb2b0a315701af41df875c085f337a8b1bb70aaced59113

SHA512
3cbe3071429095e9e585df11f7d7224638e1977dfd3ef8f39c146fa959998a6610f171a7d72ffd264fdb53239f78429efef0941bdc5aede651910d7a0e547352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4d39329bc3a9d20c734a314148e03d1

SHA1
ec678e49bd4d94ddce825e50a833623a68c7b513

SHA256
ad4c5d6fee1d6f839885e48778884eafbde93297adb358233140957115aaee66

SHA512
bf384c843224e6b2f00098132655ede61f9e8b9904ac781f6538e57be8a45d145afcfc51104cfc3c983159e7709099a7e113c1eb20073613987ab786bbdf8134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
458f3ec155978e02862e878890178d43

SHA1
8ae6bd613ff98794a2cf6f5e30c467c047f98f19

SHA256
aaa355cdf9f2c69b2fd4030604fb8095195f56a76e6dd23276392294bec4693e

SHA512
3c3db2c04287d0fa4d122366b37f4b72ecd6c2f2067887f0f1143fd1284dcd99c762d9190d0903d4ce37facf4046cb21f518270dc4d22f44aae9cc8177f3db7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9687c33325d9f76113fc7b4188db41fa

SHA1
d6e7c6050ff06da82c5988ac055c06e05dd04a9e

SHA256
4a930298b81fd57167ed4af1b830ab43b6ea9862ff48bcdf2a187a8b412001ad

SHA512
51027b080dfb85c2f99a358e42f7b6aef6aa8120ed70beebc486ddb16aa5776bf987806891eee01dbd7088298cc92e4a3af48b13c6c3f937d4180b0a4fd2c126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b54004d4ce81b85b87214ca66653c5b7

SHA1
e09531ba65922f9708e7c084a57d2502f1ce283d

SHA256
3d946eecf328ebafa340c2c0d7b3faaa35e011fdc3e0fccf16c50b1923d6cb4f

SHA512
624da4fa60f8f123e0525a5c3146aa282293d5e8f90d1054e07892e3f6ea9d4f01059cbbc90677ea7f83545b8b7a54e5e5200f90570b9446a867c0b6605842f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
832296e6b49bab2a56fbda00229868e6

SHA1
976c75a236a49effdec9cd74409f0fec57389403

SHA256
20ffb8a7f1a2676abbe3520fa4c9a17c35884148ba32154db905425dd33e923d

SHA512
ef7c25d5776ae83f90239fa76338fe5755d429f5b548833a964ea99ebead843418f10344030823d17e77e90e83d01cd0730a9142edd5041a31303b5642920c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
afe6ab39c0ed2de4f67822e4e0fa0c67

SHA1
22065e98f8a3e650775cb82bf07138487b4dc86b

SHA256
f954d9cd23775c569772288a2514b8a6b9e545f94da04ed992aba2b0311108b3

SHA512
4720a4fce350469097057d206d36827bfc3817e79de463b9d068b4ccb97a4f924598463ba3148368b74eedbd5fe8b292b6658e2c635cc46bb931918cba75fe17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08c2b8c6745ef3532d4b741ba3c8236e

SHA1
00f014f130ed3efb9fb01b3085cece0a770795dc

SHA256
a7ecbe0ca5b969401697321d170023314138e34750993dccce0d30697d57cc3d

SHA512
1fff5488885681a03f616c177bd8b3a7602c1dbce7536fd5160b4e9270d8beef042d504f89e762ba0af5b89bc61fd1ea1184fae1454369710e60c10eda54d407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8cf7ef2304300723412d083177c8e35

SHA1
f85e3f12b427a0b77c7653712b0ae712a98c213a

SHA256
41b7a2628028783eea45ebeb745619aacf7e3b8588f750e8059b6a221d0f5c28

SHA512
e2e6902c28f409fa41ca9ff3ba5ee0c130e80083aca645c6dd28c9b392f11811cfe9df5e2183b39d301cd9ddb38449146faa515c81cadd4db2af8947f7abec89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c2b57456a355778d0862b62865f9b3b

SHA1
ced5e05ccdcb3c07bba5e6e3c0b1836cbbd69b90

SHA256
d6782eb025addd4b5b063d073f0d7fbd87aa5511529ab81641ef0867286e339f

SHA512
3928d2d121d07696e426c2bb8f76b077a68de930b22ebd00f9f296d99fab34778d1f2b0c90614d278709f5fed8c8f54ac851b3c7bfa9a91d974fbbdd48d47bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f9bf0a211b3d873301f40e0a9c96b8a

SHA1
cabff073291179fb699664d58c0ace98cab71f55

SHA256
00ace7cc68bc2f2a85a9906ff2bd9678ad07b1ee81080a16f93279713e63fe22

SHA512
4a900310829e9f757057bb2570990f5d468f0c62531719254254d41f5144322e9d02c870623f8e174f68df7e4c613cbdf59a80b86684503aa7ab9e261d14313c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
ce0a91c65852596897138b4d431c82fc

SHA1
882332f7c90705aebe8ed7402254fde405453270

SHA256
0400fb2e4404dd408d89189f04af30ecaaaa8cdb30da3100a3115216ce769f50

SHA512
d05fcf4790eded38489f2baa8d3490bd20bd11d8e5f5cbfeea2bf233f1fdba5e5b2b3e1ed8494167fdc26f91f2337d3e09476a65c8316dfb7158aa2e28f18ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
117c9564dfec15e4c3468af534272dad

SHA1
86aeb76d4de3d303b7c2d1fb0a6091016cea46cd

SHA256
75407ac4e60d631547fcacfbf035f31840c62ef7f7bc97ee653a57ca2fa11f73

SHA512
db6af6c4b9e791a7762b69c1f736cb84dff113d8a8565b956b3cd48dd83f4ec231f6d42b98ed8267033795465beb9b13cf18627ee243e4f1ce9d44befed8d090

Download Submit
C:\Users\Admin\Downloads\Tutorial.txt

Filesize
136B

MD5
ee6277d8476011bb2c294156b84c4d74

SHA1
c7fcb8b2ac1a6ba858a4f72f0ae21bcf4c278dc2

SHA256
dfbf6f42ab6d461d1a7533ff30a7c81c80c58704b0933f52c79987e9f66ed95c

SHA512
8f777642a54be57c7022bcdd34005914a0b9ee38e3875ee0a26c7290b04fde619c3a8aab5119de79960fa66b9a79754296516d9a2d87150e1c34bdb0ea30a6ec

Download Submit
C:\Users\Admin\Downloads\install.rar

Filesize
448KB

MD5
4564a9a35d9e7e7883faa2ed3361e0e4

SHA1
79a611b96bc0cdab0bea30423814b4ad7245800c

SHA256
06ce088beb65731be6268934f89d44a00d386e517ad88f8e28a8968c0a43b7e0

SHA512
efcec8c64edc5e23a7d24610c4a7e7facd3c682eb42875bc0b19e95ffc3479749d044a78f274cbdabd4252a07ef3da567aabe995abf2f5790da139203075fa51

Download Submit
memory/1252-220-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-216-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-221-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-211-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-219-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-218-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-217-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-222-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-210-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/1252-212-0x0000025D44780000-0x0000025D44781000-memory.dmp

Filesize
4KB

Download
memory/2124-226-0x00000000751F0000-0x0000000075354000-memory.dmp

Filesize
1.4MB

Download
memory/2124-224-0x0000000000EA0000-0x0000000000EF5000-memory.dmp

Filesize
340KB

Download
memory/2124-223-0x0000000000EA0000-0x0000000000EF5000-memory.dmp

Filesize
340KB

Download
memory/2124-190-0x0000000000E90000-0x0000000000E9D000-memory.dmp

Filesize
52KB

Download
memory/2124-191-0x00000000751F0000-0x0000000075354000-memory.dmp

Filesize
1.4MB

Download